[BlueOnyx:23018] Re: Security issue proftpd + deprecation of 5107R/5108R

[Michael Stauber]

Hi all,

> I recently rolled up a Proftpd for 5210R built from the latest sources.
> I'll grab them again and will publish updated ProFTPds for all BlueOnyx
> versions today.

BlueOnyx 5209R now has an updated ProFTPd v1.3.7-RC1 available via YUM.
I also needed to publish updates for base-ftp-* and swatch to go
alongside, as the configuration option "IdentLookups" has been
deprecated and ProFTPd refuses to start if the config file still has it.
The updated base-ftp-* and swatch take care of that.

BlueOnyx 5207R/5208R versions of these updates are currently being built
and I'll post an update when they are out in the next few hours.

This leaves 5107R and 5108R and that leaves me in an awkward position:

The ProFTPd on it is ancient. The base-ftp module is ancient. In fact
the 5107R/5108R code tree hasn't seen *any* updates in 3-4 years. In
fact I even lost track if someone out there is still using it and never
went the really easy route to upgrade them via YUM to 5207R/5208R.

Therefore I have taken the decision to deprecate the old GUI models of
BlueOnyx 5107R/5108R effective immediately. This ProFTPd vulnerability
is an excuse as good as any other.

I'll now release a "blueonyx-yumconf" RPM to the 5107R/5108R YUM
repositories that forces a mandatory upgrade of them to 5207R/5208R
(respectively), which can easily be done via YUM and has been that way
for years. Now is the time to make sure that stragglers don't get left
behind and then get bitten by security bugs.

-- 
With best regards

Michael Stauber